In this episode I talk about the evolving world of ransomware. I discuss a few examples of unique tactics the malicious actors are using to put pressure on organizations to pay the ransom.
Referenced Articles:
https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/
https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets
https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
For more info go to https://www.developsec.com or follow us on X (@developsec).
DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.
Transcript:
Hey, everyone. Welcome to episode 121 of the DevelopSec podcast. Today, I want to talk about ransomware and some of the new tactics that I’ve been seeing over the past few years, and I’ve got a couple different examples. I’ll include the links to these articles in the note the show notes. But I want to talk about some of the trends that we’re seeing that are happening across, ransomware as we’ve seen it kind of mature, I guess, over the past few years. So my first article actually goes back to 2018. And, really, the side of the tactics that we’re looking at is how they’re changing, how they push for and motivate organizations to actually pay the ransom. Because as we’ve seen different things change over the years, we’ve started to see some software come out that help mitigate ransomware.
Previously, it started with the capability of saying, hey. We can try to brute force the keys and be able to unlock that ransomware, or maybe we have backups that we’re gonna use to be able to recover from ransomware when it hits our organization. And then now we’re starting to see some pretty cool software that’s coming out that allows you to actually capture the keys if you have it installed on your system. That when they go to encrypt your data, it actually captures that key. It detects the encryption, and then it’s going to allow you to quickly decrypt all your data so you don’t have to worry about paying that ransom. Of course, we’ve seen an evolution in ransomware because maybe some of that, also because there’s lots of pushback on paying ransoms that not only do they encrypt the data on your machine, but now a lot of times, they’re actually exfiltrating that data out and then holding the data as ransom versus holding your systems as ransom. So this is kind of an interesting tactic because now it’s less about the encryption piece, which we’re I think we’re starting to see some solving of that. But now it’s turning into more of the, hey.
I got the data. There’s not a lot you can do about that. Now if you don’t want me to release it, pay the ransom, and we’ll get that information out there. But one of the cool things or one of the interesting things that we started seeing is that we still have organizations that maybe aren’t very quick to pay it. They don’t wanna pay it. So what’s the malicious actor to do here? And there’s a couple techniques that we’re starting to see. I don’t know how prevalent they really are out there, but we have started to see them come out, and we wanna think about how those affect the end users really Secure that’s where some of this stuff is going. So the first one that I wanna talk about, happened back in 2018 where an attacker stole sensitive records from a health clinic of sorts.
Again, I’ll have the link to the articles in if you want the specifics. But instead of going maybe straight to the company and looking for them to pay the ransom, they instead went towards the victims that were listed in the data breach. So instead of going to the organization, it was the patients that they’re going after. And instead of a huge sum settlement here of 1,000,000 of dollars or 100 of 1,000 of dollars, instead, they’re sending out emails directly to those patients, those users, and demanding in this case, it was, 213 US dollars that they had to pay within 24 hours. And then according to the article, it was reported that if they didn’t pay within the 24 hours, it would jump to 500 and 34 US dollars, if that initial demand was not met. So now instead of going after this huge lump sum, we’re going after small little payments towards just the end user. Kind of an interesting new tactic. Now this person was actually caught, and just recently, I think they were charged.
I think that’s where the article kinda popped up. But the list of things that happened, the charges, are pretty interesting. So they were charged with 20,745 counts of aggravated attempted blackmail, 9,231 counts of aggravated dissemination of information infringing on individuals’ private lives. That’s kind of an interesting thing. This was actually not in the US also, but kind of an interesting thing to be charged with. And then 20 counts of aggravated blackmail. So I’m assuming that maybe the 20 counts of aggravated blackmail are the number of people that actually fell for the email, and I’d say fell for it because it wasn’t really phishing. Right? I mean, it was legit, but actually maybe paid that that value that they requested.
So I I look at this and I wonder back of how does that change the legality side of things? If I’m an attacker that just ransomware ed an organization, I’m curious, and I’m no lawyer. I’d love to get somebody that that knows a little bit more about this. But does it change your risk as the attacker that you’ve gone from a huge, you know, 100 of 1,000, $1,000,000 type of thing down to multiple small, you know, $200, $300 values. You know, are you going from misdemeanors to felonies? Are you are you changing that stuff around? Again, I’m not a lawyer, so I don’t know. But it is kinda interesting to think about how that changes their path. But it’s also a diversion for where it used to be. It used to be just going after the organization. You just assume they would pay.
And now it’s stepping down into, well, let’s go after each person in the the data dump. Let’s see what we can get them to give us. And if we cast that net wide enough and I get enough people paying me $200, does that make it more valuable to me than really trying to fight the the higher amount that the organization might not pay at all. So kind of an interesting tactic. Again, that was back in 2018 that we saw this. Now the next one I want to talk about, kind of following a timeline here, happens, around 2,023, November of 2023. And this is another interesting switch in tactics. It came out not long after the SEC created some new reporting guidelines, to where they were basically saying for a public company, if you’ve had a material incident, and I think material is kind of a keyword there and probably also a little bit of a gray word of what is a material incident.
But the idea behind material incident is something that somebody wanna know, right, if they’re investing in the Application. Does it have a material impact on the organization, the stock price, that type of stuff? So if there’s a material they sent, you have 4 days to report that. And the way you do that is through form 8 k, and that’s how you’d report it into the AppSec. Well, this attack group, malicious organization, decided that they would go ahead. They they breached an organization. They waited the 4 days, and then they saw that there was no, form a k actually filed. So they went ahead and filed a complaint to the SEC themselves, which is really interesting to think about. Like, you’ve got a malicious actor that just breached the Application.
And then instead of nest I don’t know if they actually did a ransom payment to the organization, but they went and actually filed this breach report to the SEC themselves trying to basically tattle on them for saying, hey. They this company was breached, and they didn’t file with you, which is really kind of an interesting technique. When I first saw this story, the first thing I thought of was, you know, is this like some sort of whistleblower opportunity where instead of trying to ransom the Application, like, hey. Let’s just go hack them. And then if they don’t file in time, we’ll blow the whistle on them. And then a lot of times in whistleblower scenarios, you’re getting some sort of cut from whatever, fines or anything that are levied. So maybe there’s a chance to be able to get that money that way. And now you’re almost getting it legit.
I don’t know. Like, it’s really interesting to think about that. Like, I’m gonna do the bad work, but then I’m gonna tell on you for it and then get paid for telling on you. We’ll just ignore the fact that we we actually are the ones that did that. So kind of interesting. I haven’t seen any more of these scenarios pop up in the news at least, so I don’t know if it’s still happening. But something for an organization an organization to think about is that, okay. Well, we have these reporting deadlines, and we’ve got them for all these different things.
The AppSec is not the only thing. Showed your stuff for the FTC. Like, you name it. There’s reporting guidance that’s out there for all these. So there’s a lot to keep up with. Is there an opportunity here that they’re gonna try to do that? Does that help motivate you if there was a ransom payment requested, or does it just ignore the ransom payment altogether and would just hey. Can we try to get some money here, but telling on them for not actually reporting the breach that they suffered? So, again, very interesting thing to see there. The final one that I have, this was came out in January of 2024, and it was a cancer center of some sort that actually got breached.
They had ransomware incident. And kind of like the first story, right, where they’re going after the the people that were in the breach, not the organization directly, but the pea they were using the people in the breach, because they were actually going after the organization, because they did request ransom from the organization. But, again, we have a lot of organizations that are pushing back on paying ransoms. You’ve got the FBI and the government saying don’t pay ransoms. Right? So there’s a lot of push to not do this. And if you can recover, then maybe you don’t wanna do it. So in this case, they actually started putting pressure on the organization to pay by threatening to SWAT the patients, the cancer patients. They want to SWAT the patients or call in bomb threats, something that would involve heavily armed police response to the patient’s house.
So now imagine that you’re an organization, and now you have this added risk. Not only do we have maybe this huge ransom payment that’s sitting on the edge, but we’ve got the risk of our patients. And, you know, this is one of our biggest priorities as an organization is protecting our patients, could now potentially be facing things like swatting or bomb threats. Right? They’re gonna be harassed at their home. You know? So does that entice you more to say, okay. Yep. We’ll go ahead and pay this. I don’t want that to happen.
Now I don’t know if any swatting calls or bomb threats were actually called in in this situation, but they were definitely changing their tactic and using that as sort of leverage to get in there. So it it’s really interesting to see how some of these tactics are changing. One of the other things that I think about is the fishing side of the house or the social engineering side of the house, but specifically around the fishing side. You know, we run a lot of simulations in our organizations of what to look out for. But when you even within the organization, but when you step out of that organization and I always like to think of when we’re doing stuff at the org level with our employees, how do we relate that to the personal level? And I think these are good bridges into that because the training you’re getting at the office comes into play here now at home. If you happen to be one of those people in that breach and now you’re at risk of getting emails that are saying, hey. You need to pay us money. You need to do this.
How do we know if those are legit? If there’s something we need to worry about, did this really happen? You know, years ago, and maybe it’s still going on, but junk mail filters have gotten a lot better. There was actually a lot of emails coming out, right, where it was saying, like, you went and looked at adult websites, and I have you on camera doing this, and you need to pay me this money. Remember those going around? This happened for quite a while. And, you know, it was pretty easy to sit there and say, I would hope for most people, like, yeah. No. That didn’t happen. Right? Like, I know I didn’t do that. It’s it’s not a problem for me.
So we just ignore that. But now when those phishing emails turn into, hey. I know you did this. Right? Because they have your information from that data breach. So it’s easy to say, hey. I know you’re a user of x y z. Hey. We we’ve got all your data now.
And instead of us going to them, we’re coming to you. It’s a small amount, $50, and we won’t share it with anybody else. It’s a lot harder to really understand and grasp what that really means from an end user Secure now there is no, oh, I know I got caught doing something maybe I shouldn’t have done or people might not like me doing. But now it’s just, wait. My data was in a data breach, which, well, that’s everybody. What what am I supposed to do now? Like, that’s very possibly true. I I really don’t have an easy way to tell. Is this legit? Did my data exist in this data breach for this company that you claim to have attacked? Or are you just taking regular data from the dark web that’s been sold a 100000 times and now pushing at me and trying to say that this is what we have going on? So it’s it’s gonna be interesting to see how we modify maybe some of our phishing campaigns to try to deal with this and how we educate our users, how we educate everybody out there of what this stuff really means.
Because there’s a chance that this could be going that direction where, hey. If I can get, you know, a 100,000 people to pay me $50, is that an easier path than going straight to the organization to do like, to pay a lump sum, like a bigger amount? Because the organization is gonna be quick jumping in on saying, hey. Look. We gotta get people involved. Sometimes they have to get people involved. We’ve been briefed. We gotta get the FBI involved. We gotta get whoever involved.
But if you’re doing it a smaller scale, like most of the phishing campaigns actually happen, all the lottery scams, all that stuff. Right? There there’s little teeny one offs, and there’s small amounts. So until you can relate them all to say, hey. Look. This is one big, huge thing. We gotta address this all at once. They kind of fly under that radar a little bit more. It’s harder to go in and investigate all those different pieces.
So we really have to kinda consider how we’re gonna handle that. I’ll be curious to see, you know, if you have thoughts on this, if you’ve seen other tactics that people are using, feel free to share them. You know, you can send them james@developsec.com. But send over your ideas of what other people may be doing. I think this is a good opportunity for us to start thinking about how do we get ahead of what the malicious users are doing. We we follow everything that happens. Oh, they tried this. Oh, wow.
We gotta think about that. To start thinking about, okay. What else could we be doing here? What could they be doing that we wanna get ahead of and say, oh, wow. They breached this data. What could they do with that? Let’s start thinking about that, not what have they done with that. But, again, I’ll post the links to these articles. It’s pretty interesting to see. Ransomware is an interesting topic because it is kind of changing over the last few years.
We are seeing that push between just encrypting data to really more of either a hybrid of encrypting and exfiltrating the data or just exfiltrating the data and not even encrypting data anymore, to try to push that ransom. So very interesting topic. Hopefully, you’ve got some thoughts about it. If you do, send them my way. Happy to hear about them. But thanks everyone for listening to this episode, and we’ll catch you on an episode the next episode.